Millions of Android Apps at Risk from Eavesdropper Vulnerability

Poor mobile app development practices have created the Eavesdropper vulnerability, which has resulted in a large-scale data exposure from nearly 700 apps in enterprise mobile environments, over 170 of which are live in the official app stores today.

The affected Android apps alone have been downloaded up to 180 million times.

According to researchers at Appthority, Eavesdropper is caused by developers hard-coding their credentials in mobile applications that use the Twilio Rest API or SDK, despite the best practices the company outlines in its documentation. As a result, those applications then give full access to all records stored in the Twilio backend for the developer’s account.

Over the lifetime of the apps and the developer’s use of the same credentials, the Eavesdropper vulnerability exposes massive amounts of sensitive current and historic data, including hundreds of millions of call records, minutes of calls, minutes of call audio recordings, and SMS and MMS text messages.

“Eavesdropper poses a serious enterprise data threat because it allows an attacker to access confidential company information, which may include a range of sensitive information often shared in an enterprise environment, such as negotiations, pricing discussions, recruiting calls, product and technology disclosures, health diagnoses, market data or M&A planning,” said Seth Hardy, Appthority director of security research. “An attacker could convert recorded audio files to text and search a massive data set for keywords and find valuable data.”

Examples of apps with the Eavesdropper vulnerability include an app for secure communication for a federal law enforcement agency, an app that enables enterprise sales teams to record audio and annotate discussions in real-time, and branded and white-label navigation apps for customers such as AT&T and US Cellular.

Further, Appthority said that the issue is not specific to developers who create apps with Twilio.

“Hard-coding of credentials is a pervasive and common developer error that increases the security risks of mobile apps,” said Appthority researchers, in an analysis. “[We] are finding that developers who hard-code credentials in one service have high propensity to make the same error with other services, such as between app tools, in this instance, and data storage like Amazon S3.”

Notably, Eavesdropper does not rely on a jailbreak or root of the device, nor does it take advantage of a known OS vulnerability or attack via malware. Rather, this vulnerability shows how a simple developer mistake of exposing credentials in one app can affect larger families of apps by that same developer using the same credentials, even compromising other apps where best practices were followed, using side-channel and historical attacks.

Twilio has reached out to all developers with affected apps and is actively working to secure their accounts. Unfortunately, Eavesdropper isn’t resolved by removing an affected app from the app store or user’s devices. The lifetime of the app’s data and the data from other apps created by that developer is exposed, until the credentials for all apps are properly updated and, of course, not disclosed in clear text in the apps.

Unfortunately, Eavesdropper is just the latest data leakage discovery by Appthority; researchers also recently identified the HospitalGown vulnerability, which exposed a massive 43 terabytes of data (some of which was ransomed) on over 21,000 backend servers. Appthority also recently highlighted risks associated with platform services such as Uber, and the low adoption of encryption standards such as App Transport Security. These are just a few examples of data and privacy risks that require a thorough analysis of mobile apps to identify mobile threats to enterprise data and privacy.

“The complexity of computing environments and software applications means in both instances, developers and system admins are relying on third-party code and infrastructure to enable services,” said Chris Morales, head of security analytics at Vectra, via email. “The risk of all third-party services is exposure through unknown system and application vulnerabilities, be it APIs used in software development or cloud infrastructure used for hosting those applications and data. It is critical for organizations to perform their own security assessments of third-party services and to provide a form of external monitoring of activities on these services, independent of the service provider. Don’t trust your third-party providers. Monitor what happens in those environments for unapproved behaviors.”